213 lines
6 KiB
YAML
213 lines
6 KiB
YAML
---
|
|
# tasks file for acme.sh
|
|
- name: Create system acme group
|
|
become: true
|
|
ansible.builtin.group:
|
|
name: "{{ acme_group }}"
|
|
state: present
|
|
system: true
|
|
|
|
- name: Create system acme user
|
|
become: true
|
|
ansible.builtin.user:
|
|
name: "{{ acme_user }}"
|
|
group: "{{ acme_group }}"
|
|
home: "{{ acme_home }}"
|
|
shell: "{{ acme_shell }}"
|
|
state: present
|
|
system: true
|
|
create_home: true
|
|
skeleton: false
|
|
|
|
- name: Ensure directories exist
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
mode: "0755"
|
|
owner: "{{ acme_user }}"
|
|
group: "{{ acme_group }}"
|
|
loop:
|
|
- "{{ acme_home }}"
|
|
- "{{ acmesh_config_path }}"
|
|
- "{{ acmesh_install_path }}"
|
|
- "{{ acmesh_cert_path }}"
|
|
|
|
- name: Check acme.sh installation
|
|
ansible.builtin.stat:
|
|
path: "{{ acmesh_config_path }}/account.conf"
|
|
register: stat_account_conf
|
|
|
|
- name: Download and install acme.sh
|
|
when: not stat_account_conf.stat.exists
|
|
become: true
|
|
become_method: su
|
|
become_user: "{{ acme_user }}"
|
|
become_flags: '-s /bin/sh'
|
|
become_exe: "sudo su"
|
|
block:
|
|
- name: Create temporary directory for git repository
|
|
ansible.builtin.tempfile:
|
|
state: directory
|
|
prefix: acmesh_git_
|
|
register: acme_tmp_repo
|
|
changed_when: false
|
|
|
|
- name: Temporary clone acme.sh git repository
|
|
ansible.builtin.git:
|
|
dest: "{{ acme_tmp_repo.path }}"
|
|
clone: true
|
|
depth: 1
|
|
repo: "{{ acmesh_repository }}"
|
|
version: "{{ acmesh_version }}"
|
|
changed_when: false
|
|
|
|
- name: Make install script executable
|
|
ansible.builtin.file:
|
|
path: "{{ acme_tmp_repo.path }}/acme.sh"
|
|
mode: "0744"
|
|
owner: acme
|
|
group: acme
|
|
|
|
- name: Install acme.sh
|
|
ansible.builtin.command:
|
|
cmd: >
|
|
"{{ acme_tmp_repo.path }}/acme.sh"
|
|
--install
|
|
--home "{{ acmesh_install_path }}"
|
|
--config-home "{{ acmesh_config_path }}"
|
|
--cert-home "{{ acmesh_cert_path }}"
|
|
--accountemail "{{ acmesh_email | mandatory }}"
|
|
--nocron
|
|
chdir: "{{ acme_tmp_repo.path }}"
|
|
creates: "{{ acmesh_config_path }}/account.conf"
|
|
|
|
always:
|
|
- name: Delete temporary git clone
|
|
ansible.builtin.file:
|
|
path: "{{ acme_tmp_repo.path }}"
|
|
state: absent
|
|
changed_when: false
|
|
|
|
- name: "Set default CA [letsencrypt]"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ acmesh_config_path }}/account.conf"
|
|
regexp: '^DEFAULT_ACME_SERVER='
|
|
line: "DEFAULT_ACME_SERVER='https://acme-v02.api.letsencrypt.org/directory'"
|
|
|
|
- name: Create sudo config file
|
|
ansible.builtin.file:
|
|
path: "/etc/sudoers.d/60_user_{{ acme_user }}"
|
|
state: touch
|
|
mode: "0440"
|
|
owner: root
|
|
group: root
|
|
access_time: preserve
|
|
modification_time: preserve
|
|
|
|
- name: Configure sudo permissions
|
|
become: true
|
|
ansible.builtin.lineinfile:
|
|
path: "/etc/sudoers.d/60_user_{{ acme_user }}"
|
|
line: "{{ acme_user }} ALL=(ALL:ALL) NOPASSWD: /usr/bin/{{ item.reloadcmd | regex_replace('^sudo (.*)$', '\\1') }}"
|
|
state: present
|
|
validate: /usr/sbin/visudo -csf %s
|
|
loop: "{{ acme_domains }}"
|
|
when: acme_domains is defined
|
|
|
|
- name: Ensure directories exist
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
mode: "0755"
|
|
owner: "{{ acme_user }}"
|
|
group: "{{ acme_group }}"
|
|
loop:
|
|
- "{{ tls_cert_path }}"
|
|
|
|
- name: Issue and install certificate
|
|
when: acme_domains is defined
|
|
become: true
|
|
become_method: su
|
|
become_user: "{{ acme_user }}"
|
|
become_flags: '-s /bin/sh'
|
|
become_exe: "sudo su"
|
|
block:
|
|
- name: Issue certificate with Netcup
|
|
ansible.builtin.command:
|
|
cmd: >
|
|
"{{ acmesh_install_path }}/acme.sh"
|
|
--issue
|
|
--dns dns_netcup
|
|
-d "{{ item.domain }}"
|
|
{% if item.san is defined %}
|
|
{% for san in item.san %}
|
|
-d "{{ san }}"
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if item.keylength is defined %}
|
|
--keylength "{{ item.keylength }}"
|
|
{% endif %}
|
|
{% if item.staging is defined %}
|
|
--staging
|
|
{% endif %}
|
|
{% if item.dnssleep is defined %}
|
|
--dnssleep {{ item.dnssleep }}
|
|
{% endif %}
|
|
creates: "{{ acmesh_cert_path }}/{{ item.domain }}_ecc/{{ item.domain }}.cer"
|
|
environment:
|
|
LE_WORKING_DIR: "{{ acmesh_install_path }}"
|
|
LE_CONFIG_HOME: "{{ acmesh_config_path }}"
|
|
NC_CID: "{{ netcup_user | mandatory }}"
|
|
NC_Apikey: "{{ netcup_api_key | mandatory }}"
|
|
NC_Apipw: "{{ netcup_api_password | mandatory }}"
|
|
loop: "{{ acme_domains }}"
|
|
|
|
- name: Install certificates
|
|
ansible.builtin.command:
|
|
cmd: >
|
|
"{{ acmesh_install_path }}/acme.sh"
|
|
--installcert
|
|
-d "{{ item.domain }}"
|
|
{% if 'ec' in item.keylength %}
|
|
--ecc
|
|
{% endif %}
|
|
--cert-file "{{ tls_cert_path }}/{{ item.domain }}.crt"
|
|
--key-file "{{ tls_cert_path }}/{{ item.domain }}.key"
|
|
--ca-file "{{ tls_cert_path }}/{{ item.domain }}.ca"
|
|
--fullchain-file "{{ tls_cert_path }}/{{ item.domain }}.fullchain"
|
|
{% if item.reloadcmd is defined %}
|
|
--reloadcmd '{{ item.reloadcmd }}'
|
|
{% endif %}
|
|
creates: "{{ tls_cert_path }}/{{ item.domain }}.crt"
|
|
environment:
|
|
LE_WORKING_DIR: "{{ acmesh_install_path }}"
|
|
LE_CONFIG_HOME: "{{ acmesh_config_path }}"
|
|
loop: "{{ acme_domains }}"
|
|
|
|
- name: Install systemd service
|
|
ansible.builtin.template:
|
|
src: acme_sh.service.j2
|
|
dest: /etc/systemd/system/acme_sh.service
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: Reload systemd daemon
|
|
|
|
- name: Install systemd timer
|
|
ansible.builtin.template:
|
|
src: acme_sh.timer.j2
|
|
dest: /etc/systemd/system/acme_sh.timer
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify:
|
|
- Reload systemd daemon
|
|
- Restart acme_sh systemd timer
|
|
|
|
- name: Enable systemd timer
|
|
ansible.builtin.systemd:
|
|
name: acme_sh.timer
|
|
enabled: true
|
|
scope: system
|
|
state: started
|